Forgot your password?
typodupeerror
Security

Giving Up Passwords For Chocolate 710

Posted by CmdrTaco
from the my-password-is-hershey dept.
RonnyJ writes "The BBC is reporting that, according to a recent survey, more than 70% of people would willingly give up their computer password in exchange for as little as a bar of chocolate. Over a third of the people surveyed even gave out their password without having to be bribed, and most indicated that they were fed up with having to use passwords."
This discussion has been archived. No new comments can be posted.

Giving Up Passwords For Chocolate

Comments Filter:
  • Wait a minute (Score:5, Insightful)

    by JohnGrahamCumming (684871) * <slashdot.jgc@org> on Tuesday April 20, 2004 @08:20AM (#8915055) Homepage Journal
    They didn't actually test these passwords they just said "I'll give you a bar of chocolate if you give me your password".

    So people can just make it up.

    Yes Mr "Researcher" if offered chocolate 79% of people can think of a random word.

    Big deal,
    John.
  • by dummkopf (538393) on Tuesday April 20, 2004 @08:24AM (#8915081) Homepage
    for most internet users there is no real value attached to their computer accounts. it is not the same as the pin for your ATM card where, if shared, it would mean an empty account. hence it is understandable that they are willing to share this information.

    this, i think, is a big problem and the onyl way to solve it is to re-educate people for them to understand that such a password is important and should not be shared. clearly an alternate solution would be to install fingerprint scanners on all computers (a viable option in the future), but that would not help overcome the erroneous attitute towards computer security. in fact, such scanners would work well as again people are used to the fact that their fingerprint makes them unique and should not be "shared".

    finally, this will be an important concern in the future: already we are able to shop online and the future where all transactions go via the internet is near. one account (a la .NET) will be enough to deal with fueling up a car or buying a bunch of roses. probably then the attitute will change, when some smart scammers burn some people's fingers...
  • Sad but true... (Score:4, Insightful)

    by mitchell_pgh (536538) on Tuesday April 20, 2004 @08:25AM (#8915089)
    Most likely, the people willing to give up their passwords have very little to protect. For many, it wouldn't be life altering if their email was read, their MP3 collection viewed and downloaded and their favorite version of solitaire copied as well. I would argue that the people with valuable data wouldn't give out such information (like many of us in this forum). Also, many people have the luxury that even if the system was maliciously accessed with their user/pass that there would be zero repercussions. They would shrug their shoulders and remember the delicious piece of chocolate they had the day before.
  • by Simon Lyngshede (623138) <simon@spiceweaTOKYOsel.dk minus city> on Tuesday April 20, 2004 @08:26AM (#8915094) Homepage
    Most system administrator would wish that they had a company policy which allowed them to break the fingers of users who share their passwords.

    But if users don't like using password, why force them. I think they would discover very quickly why it's needed. Nothing like a "You suck" email sent from a users account to the boss, to make them realise that may it's not such a bad idea.

    A better solution would of cause be wide spread use of Kerberos, then at least they only need to enter their password once.
  • Re:Wait a minute (Score:5, Insightful)

    by the_mad_poster (640772) <shattoc@adelphia.com> on Tuesday April 20, 2004 @08:26AM (#8915098) Homepage Journal

    Depends what type of password they're asking for. I can imagine my boss giving up some of his real passwords for a bribe because he thinks "big deal... that one's not protecting anything sensitive anyway". Except, that comes down to him not understanding that whole "weakest link in the defenses" problem. Yea, maybe THAT password isn't, but what does that give a malicious user access to that could be abused elsewhere? What apps level attacks are we now vulnerable to? What databases could be stolen? Could the attacker now impersonate you to get more information from other people?

    Management and business types, and of course home users, don't think security is a big complex model. They think "oh, we have a firewall... we're safe" and that's the end of it.

  • by dummkopf (538393) on Tuesday April 20, 2004 @08:27AM (#8915106) Homepage
    keep in mind that many people have to remember many passwords. this has the effect that the home password might be mami23, whereas the work password might be mami32...

    back when i was a sysadmin i once ran a test: we had asked all users to use DIFFERENT password for the 2 NT machines we had and all the other linux workstations. i started cracking passwords on the linux box and found some after 48h (~5% of user passwords). then i used L0phtcrack (awesome tool!) on the NT machine and had about 45% of the passwords after 24h. guess what: from those 45% about half worked also on the linux boxes...
  • by superhoe (736800) on Tuesday April 20, 2004 @08:31AM (#8915130) Homepage
    .. how many people would give away their chocolate for a password?!
  • by Anonymous Coward on Tuesday April 20, 2004 @08:31AM (#8915135)
    Remembering passwords is easy. I have lots of them.

    The key is to make them memorable, pronouncable non-words. You can do this using passwdgen on linux. Just set it to the number of characters, add the "pronouncable" switch and - optionally - the "non alphaneumeric characters" switch and you'll have something that is very secure yet easy for YOU to recall.

    Further, what a bunch of whiney fucks. "Boo hoo, I have to use passwords. Boo hoo, I have to use a key to open my car door, house, bank deposit box, home safety, glove compartment, trunk. Boo hoo, I have to turn the knobs on doors and open them before walking into a building or home or car."

    Come on people.
  • by Evil Schmoo (700378) on Tuesday April 20, 2004 @08:40AM (#8915199) Homepage
    Absolutely. We're a government facility, including a few areas that are nominally very secure, and as such, we have an extremely good IT department, all of whom work tirelessly to prevent nasty people and things from seeing our noodlings.

    The problem is, the vast majority of people who work here are either academic researchers, who are used to open collaborative discussion and find passwords inherently distasteful, or administrative workers, who, while they may be very dedicated civil servants, find the different password systems for email, LAN logon, timesheets, billing, contracts, grants, etc., to be tedious at best and bewildering at worst. Since they are not allowed to have the same universal password, for obvious security reasons, nor is that password allowed to be a recognizable English phrase, they have a great deal of difficulty memorizing each one.

    Add in the fact that each password must be changed every six months at a minumum (monthly for some systems) and that passwords cannot be repeated for five cycles, and that's as many as fifty or so passwords over the course of a year for some administrative officers. That's a lot to ask, even for someone with a technically-oriented mindset.

    Recognizing that writing them in a booklet next to the desk- or lap-top is a problem, many offices have taken to writing them down inside a lockbox.

    Biometrics may help, but if our physical plant is any evidence, we'll be ten or so years behind the curve getting such systems installed.

  • by panda (10044) on Tuesday April 20, 2004 @08:42AM (#8915218) Homepage Journal
    Ha! As ignorant as most bosses and users are, I could easily send a "You suck" email from halfway around the world, that would pass for real in any examination that most users would put to it. Only one who would know it's fake is the mail admin., and with some of the admins that I've had to deal with at other sites lately, I'm not sure even the mail admin. would necessarily be able to tell it was forged.

  • by not_a_product_id (604278) on Tuesday April 20, 2004 @08:43AM (#8915223) Journal
    Actually, I strongly suspect that most people will actually just come up with their password unless they had time to 'prepare' an answer. (particularly the people that will give up a password for a chocolate bar)
  • by rew (6140) <r.e.wolff@BitWizard.nl> on Tuesday April 20, 2004 @08:43AM (#8915231) Homepage
    Even back in the days I did call support for an ISP, sometimes I'd just ask their login name and they'd just blurt out, "My login is sueray22 and my password is newyork!"

    Recently I've been asked by "tech support" for some stupid websites for my username AND password. Does someone here know a site that explains the CONs about this?

    One holds my employee's salaries and such. I'm perfectly happy that the support people can access that if they need to. The system can then log "helpdesk-Tom" accessed XYZ's financial data, and get possible problems after that figured out. If I give him my password, it'll look as if I used some stupid dialup with my password, and it's my word against their logs that it wasn't me....

    The other case would have allowed the helpdesk guy to order goods in my name. Volume two of the catalog is over 2000 pages. Volume one is less thick (and currently not on my desk). To give you an idea about how many products he'd be able to chose from.....
  • by WebMasterJoe (253077) <joeNO@SPAMjoestoner.com> on Tuesday April 20, 2004 @08:45AM (#8915244) Homepage Journal
    I don't understand why people have a problem with passwords. Are geeks brains really wired so differently to "non-geeks"?
    You bet they are. The non-geek brain usually assumes they will tell somebody their password at some point (for convenience most likely) so they tend to choose something that is representative of their lives - like the name of a son or daughter, pet, or an anniversary date. Some people use the password as an ego boost, like the name of an author or classical composer. When they type in that password, they feel good about themselves for being "associated" with such greatness, even though that connection wouldn't even exist if they hadn't chosen to create it.

    It sounds funny to the geek, who prides himself on the security of his passwords and winces every time his wireless provider asks him to say his password over the phone. h-d-asterisk--

    "Asterisk?"

    Yeah, hit shift-8. h-d-asterisk-captial-l-capital-v-lowercase-b-close -parenthesis. You see, we geeks are nightmares for those telemarketers.
  • by retards (320893) on Tuesday April 20, 2004 @08:51AM (#8915290) Journal
    The problem with biometrics is that if someone compromises your "password" (never mind how), you cannot get a new one, unless you get new irises or thumbs implanted.

    Passwords are used in part becuase of history, but mostly because they work and can be changed.

    "Sir, your bio-passport is invalid due it being compromised. No, I'm sorry, sir, you cannot get a new one. No, not ever."
  • This is news? (Score:5, Insightful)

    by Trolling4Dollars (627073) on Tuesday April 20, 2004 @08:54AM (#8915310) Journal
    While password policies and the security that they provide are pretty much the recommended approach these days, they rely heavily on one resource that many people have a lot of trouble with: long term memory. Sorry, but it's 2004... where is voice print ID or fingerprint ID, or even dna sampling? MacOS was on the right track, but the technology was a little too early. Ahem!!! Time for the OSS/Free community to show the rest of the world where authentication is going. Voice Print ID should be a part of Gnome.
  • by hal2814 (725639) on Tuesday April 20, 2004 @08:55AM (#8915314)
    One of our computer systems at work requires a complex password that has to be changed to something new regularly. You don't even need a bar of chocolate to figure out their current password. It's usually "hidden" under their mousepad or sometimes they don't even bother to do that and just tape their password list to their monitor with a nice arrow pointing to their current password. Fortunately, most of our systems do not work this way.

    Once upon a time I was an advocate of regularly changing passwords, but not anymore.
  • by bwy (726112) on Tuesday April 20, 2004 @08:56AM (#8915330)
    So true, and I've guessed users passwords a few times when needed because I knew the names of their kids, etc. Of course, I can understand how this happens. I'm well aware of how many passwords I have and I've had to implement a similar functioning but more secure solution to the post-it note passwords. I use Spash ID on my Palm device that stores but encrypts my passwords. Folks just have SO many web sites that use different passwords, and to make it worse, most of the sites don't have the same username. Either the site won't let you pick your own username, or mine was already taken, or I created an account but lost a credit card so the username can't be used again, etc. Its a total mess. Makes me wonder how much value some of these web sites add. Maybe it was good enough paying my bills with a check every month and waiting for my paper bank statements to come every month, etc.
  • by Colonel Angus (752172) on Tuesday April 20, 2004 @09:05AM (#8915401)
    Sounds like the latter. Anyone in a non-IT has no reason or business knowing any of those passwords.
  • by Safety Cap (253500) on Tuesday April 20, 2004 @09:09AM (#8915454) Homepage Journal
    Boo hoo, I have to use a key to open my car door, house, bank deposit box, home safety, glove compartment, trunk.
    How many people would give up they key to their house for a bar of chocolate?

    As we learned in Econ 101, it probably comes down to value. Most people do not ascribe value to computer security; they see it as "something the IT guys make us do." Example: walk into any small shop and check out their security. It has been my experience that all passwords are taped to the monitor more times than not, or you can just ask the admin for them.

    On the other hand, people ascribe much more value to the security of their home and/or car.

  • by Nephilium (684559) on Tuesday April 20, 2004 @09:14AM (#8915501) Homepage
    Ummm... how is a computer password any different then a PIN number for most users? How many regular users do you know who use IE (or even Mozilla/FireFox) to save all of their passwords? Including their on-line banking usernames and passwords... all of their credit card usernames and passwords... and all of the sites that they trusted with their credit card information...

    And dealing with the fingerprint issue... The Reg [theregister.co.uk] just had a write up about it...

    Nephilium
  • by 0x0d0a (568518) on Tuesday April 20, 2004 @09:21AM (#8915585) Journal
    The "I hate passwords" attitude is not merely (or even primarily, IMHO) a function of users doing something wrong. It is a function of poorly designed security, or of security designed for a different environment being reused for current systems.

    Passwords came into popularity a long time ago. Things that have changed since the introduction of the password:

    * Many people have accounts on many, many systems (thanks to websites with accounts).

    * Users on such systems may not be primarily benevolent -- on a UNIX box used by a small bunch of researchers in the early 80s, a password may be an acceptable barrier to anyone poking around. A password on eBay, on the other hand, may be of interest to a number of less savory characters.

    * The ability to attack systems has significantly increased. Internet accessability means that remote, hard-to-trace attacks are more common. A brute force attack on a computing system physically isolated in a building may be simply infeasible, and choosing "cheese" as a password may be perfectly acceptable -- such a thing is no longer reasonable.

    * Computing power is much greater now. Attacks on password hashes (including those sent over the network) are much more feasible. The relative strength of passwords to CPUs has decreased logarithmically.

    * Many systems require passwords frequently. If you are a defense contracting employee, you might have only needed your password once when walking in the door in the morning and once after lunch. Now, corporate intranets have passwords, Yahoo has passwords, Slashdot has passwords, eBay has passwords, etc. Many of these require passwords multiple times a day (or, if they have an option to cache a password, do not have sufficient data about the client side to know how long it is safe to continue to cache the data).

    * The demographic of password users has changed. Almost everyone has many passwords now -- not just a couple of engineers or scientists, or the occasional person with an ATM PIN.

    What I Suspect Needs To Be Changed

    A couple of things that probably need to change:

    * It needs to be standard (and have a common interface for doing so) for users to be able to delegate a subset of their authority. Few systems currently have authorization systems smart enough to allow users to delegate chunks of their power to other users for a short term (and audit any moves). This needs to be simple, *easy*, and secure. If Sharon wants to let Bob purchase something online and charge it to her credit card account, she needs a quick and easy way to say "I authorize Bob to spend up to $500 in the next week and charge it to my credit card." That could be via her cell phone or on a computer. Most systems should have at least several forms of authorized actions that can be delegated to other users that require no more than entering a limit on the degree of the actions taken. A list of actions that other users have taken with that authorization should also be easily visible.

    * Where feasible, passwords should be replaced by smartcard/PIN combinations. It's easier to remember a four-digit PIN than a long, secure password, and for anyone that doesn't have physical access to a user's smartcard, the strength of the token on the card is much greater than that of a password. Currently, this is particularly disasterous in the form of credit card information. Currently, many vendors store full credit card information used in purchases in databases. If any such database is compromised, authentication data providing full access to money accounts is granted the compromiser -- this is, frankly, insane. Credit card providers have one effective line of defense against a compromised card -- they do statistical analysis against purchases, which isn't the most reliable method of dealing with such attacks, and requires intense monitoring of anything users do -- producing a strong disincentive to provide users with privacy. (I realize that there are a few attempts at improving t
  • by theLOUDroom (556455) on Tuesday April 20, 2004 @09:23AM (#8915613)
    Now, I just need to figure out how to do strong biometric identification over ssh or SSL-imap...

    I know you mean this as a joke, but I want to take a second to remind people why biometric authenticaion is stupid:
    • Your biometrics are not secret
    • Your biometrics are not changeable


    When you're using somrt sort of key/password, you want it to meet the following criteria:
    • Secret
    • Changeable
    • Hard to duplicate
    • Hard to guess

    Many of the best security systems rely on "something you know and something you have". This means that there is a physical object, and some sort of password.
    Biometrics are stupid because they rely on the secrecy of something like your fingerprints, which you leave on everything you touch. They're just not secret. And they're not changeable once the secret is out and the bad guys have your fingerprints.

    It makes me cringe every time I hear about biometrics being used as a substitute for passwords, credit card numbers etc. [slashdot.org] What happens when I get a copy of your fingerprint (using a only piece of tape and some talc)? I can go around making purchases as you, and it's not exactly like you can cancel your fingerprints and get new ones.

    The only place biometrics really shine are the times when the person doesn't WANT to be identified. You kinda have to carry your fingerprints around with you. For everything else, they suck.

    I would much rather fork over my credit cards at gunpoint than be kidnapped or have my fingers chopped off.
  • by AbbyNormal (216235) on Tuesday April 20, 2004 @09:37AM (#8915764) Homepage
    "Boo hoo, I have to use passwords. Boo hoo, I have to use a key..."

    True, but does turning a key force you to remember a complex stored memory? Nope.
  • by hackstraw (262471) * on Tuesday April 20, 2004 @09:39AM (#8915794)
    Why in the world in 2004 are we still using username/passwords as the primary means of authentication and authorization?

    Usernames and passwords do nothing to authenticate someone. All they mean is that someone knows a username and password. Besides being a lowsy way to authenticate somebody, passwords are a pain in the ass. Everybody has different rules for having a "good password" , they expire at different times, and it seems as though every website now requres a username and password to buy something, or read extra content, or whatever. Its gotten so out of hand that I make up 99% of my username and passwords and redoit every time I go to the site.

    Compare this to going to a physical place like a store or resteraunt. When you go to a bar or nightclub, does the doorman say, "Hey man, come into this room here, and fill out some forms. You must then think of a unique name thats not your real name, and please make a list of some random characters that should be different from every other nightclub that you go to, and remember both of these every time you come back here. Oh yeah, I need to see an ID too, because its the law that you have to be 21 to drink."?

    If someone asked me to do this, I'd tell them to go to hell.

    But this is OK to do this with computers? Why?

    PKI [pki-page.org] is out there, been around for quite some time. There can be X.509 certs that have things like your age, address, etc, that has been issued by somebody with some form of verification process, and signed by that issuer. These certs can be used over and over again, and the information in them can be given to whomever asks. Wanna look at some free porn? Well, give me your cert field that says your over 18 please. No username, no password, and very little chance that little Johnny will have access to such a cert. Oh, and this cert can be stored on a credit card sized piece of plastic called a smartcard [faqs.org]. I have probably close to 10 credit card sized cards in my wallet, I bet you have a few as well.

    Sometimes it amazes me how much different situations can be when a computer is involved. For example, how many other times in your life have you used a password besides on a computer? I can hear the tin foil heads saying that "Using an ID with a computer will violate my privacy!" Yet its completely volunary for you to give up the information either via filling out a form, or by showing an ID physically or electronically. Is anyones privacy any better with the current system?

    I wonder how much longer its going to take before we get out of the username/password insanity.
  • by clary (141424) on Tuesday April 20, 2004 @09:47AM (#8915898)

    (And making them re-do 5 months worth of work seems to be a good enough incentive)

    If you worked for me, you would not get an opportunity to do this a second time. Sanctioning the offender is fine, but costing the company 5 months worth of work is not.
  • Unfair survey... (Score:5, Insightful)

    by aksansai (56788) <aksansai@gLAPLACEmail.com minus math_god> on Tuesday April 20, 2004 @10:08AM (#8916137)
    The survey is focused on their computer passwords. The responses from the people are typical considering the average person does not know how much is tied to that password. "I don't have anything special in my email that someone can read..." or "What can someone do with my password...?"

    The survey should have also asked the following questions:

    1) Please specify your major credit card number and expiration date.
    2) Please specify your address, bank account number, and SSN (if it applied to citizens of the United States - otherwise insert THEIR form of special identification).

    Would the numbers have coincided as to who revealed that particular bit of information? Absolutely not. The average person would see the risk in giving those pieces of information to a complete stranger.

    If a direct association could be made between their Internet password and their money, those people would have guarded their password under lock and key. Why? Because the loss of money is readily understood, versus having to call an ISP and say "Someone hijacked my account."

    Although people may be tired of using passwords (or PIN numbers), they are still a somewhat effective means of preventing improper access to their assets, be it Internet access, money, or personal information. The quality of the password is directly related to the importance of the stuff being protected.

    The article cites that birthdates, pet names, etc. are common passwords. However, if someone applied the same level of protection on say...

    Instead of asking that 16-digit number (an abstract version of a password), one were to ask "What is your credit card phrase?" Answer: "Buddy."

    Instead of asking that expiration date, one were to ask "What is your age?" Answer: 30. These easy "passwords" would make is easier to make fraudulant charges on someone's account.

    Public awareness of the importance of securing their own personal information is a key issue that needs to be resolved. Using an easy to understand analogy would be a good first step for those who are being surveyed.

  • Password Rules (Score:5, Insightful)

    by Baby Duck (176251) on Tuesday April 20, 2004 @10:11AM (#8916163) Homepage
    My biggest gripe about website password is the lack of consistency in password rules.
    • Some let you use special characters.
    • Some don't.
    • The set of allowed special characters differs for those who do
    • Some are case sensitive
    • Some are smashcase
    • Some allow just numbers
    • Character length range is wildly variable
    • Some make you change your password and won't let you use your last X passwords
    • Some force you to do weird stuff like "at least one uppercase, at least one lowercase, at least one number"

    It irks me, because even if I wanted to use a completly different password for every login, there is no pattern or strategy I can follow to appease all of them.

  • SecurID! (Score:4, Insightful)

    by mjh (57755) <mark@NOSPAM.hornclan.com> on Tuesday April 20, 2004 @10:33AM (#8916449) Homepage Journal
    I have a securid card that I use for logging into a number of different things at work. I wish it was used for *EVERYTHING*. I'd never have to remember another password in my life (unless you count my PIN as my password). I'd never have to deal with varying password changing schemes on multiple systems. Which result in having multiplying passwords which I have to remember, which require me to enter them into STRIP [zetetic.net].

    I wish I could use SecurID (or something like it) for everything. It would dramatically simplify my life.

  • Re:Ugh (Score:3, Insightful)

    by Oswald (235719) on Tuesday April 20, 2004 @10:49AM (#8916639)
    I find your attitude unrealistic.

    Honestly, who do you know that bitches and moans about having to use a separate key for both their car and house/apartment?

    Nobody, because people can easily see the reason for this. That doesn't mean it's a great thing. Lots of people hide keys, in case they misplace one--near the door to their house, in magnetic boxes under a fender, under a rock, etc. A system that relies on the memory and presence of mind of average (or, frequently, above-average) people to maintain security is going to be crackable by social means--always has been, always will be.

    It seems to me that the reason we can't just accept this and get on with it is they tantalizing possibility of a technical fix. But, every time that gets brought up for discussion, technocrats like you start crying that its not THEIR problem--even though it manifestly IS their problem. Apparently, human nature is so frustratingly scatterbrained compared to machines that we're going to spend all our time crying about what lazy idiots the (l)users are, rather than finding a way to use the machines to fix the problem.

How much net work could a network work, if a network could net work?

Working...